Git-Dependabot Alert - Child dependency version to be upgraded
Balaji-CDE opened this issue · comments
- NPM version (
npm -v): 6.14.12 - Node version (
node -v): 14.16.1 - Node Process (
node -p process.versions): {
node: '14.16.1',
v8: '8.4.371.19-node.18',
uv: '1.40.0',
zlib: '1.2.11',
brotli: '1.0.9',
ares: '1.16.1',
modules: '83',
nghttp2: '1.41.0',
napi: '7',
llhttp: '2.1.3',
openssl: '1.1.1k',
cldr: '37.0',
icu: '67.1',
tz: '2020a',
unicode: '13.0'
} - Node Platform (
node -p process.platform): darwin - Node architecture (
node -p process.arch): x64 - node-sass version (
node -p "require('node-sass').info"): node-sass 8.0.0 (Wrapper) [JavaScript] - npm node-sass versions (
npm ls node-sass): node-sass@8.0.0
The latest version of node-sass uses make-fetch-happen of version ^10.0.4, which has a child dependency "http-cache-semantics": "^4.1.0" whereas http-cache-semantics(4.1.0) has security vulnerabilities and is treated as a dependabot alert in our application.
So can you upgrade the version of make-fetch-happen to 11.0.3 in node-sass which will address all the security vulnerabilities.